alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated Batch Script Inbound M1"; flow:established,from_server; content:"|2c 31 25 25 27 3a 7e|"; content:"|2c 31 25 25 27 3a 7e|"; distance:0; pcre:"/[-\d]{1,4}(?:\x2c\x31\x25\x25\x27\x3a\x7e[-\d]{1,4}){10}/R"; reference:md5,abd0a49fda67547639eeaced7955a01a; classtype:misc-attack; sid:2034183; rev:1; metadata:created_at 2021_10_13, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_10_13, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)